The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before 3.0.14, 3.1.x before 2017-02-04, and 4.0.x before 2017-02-04 fails to reliably prevent resumption of an unauthenticated session, which allows remote attackers (such as malicious 802.1X supplicants) to bypass authentication via PEAP or TTLS.
References
Link | Resource |
---|---|
http://freeradius.org/security.html | Not Applicable |
http://seclists.org/oss-sec/2017/q2/422 | Mailing List VDB Entry |
http://www.securityfocus.com/bid/98734 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1038576 | |
https://access.redhat.com/errata/RHSA-2017:1581 | |
https://security.gentoo.org/glsa/201706-27 |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2017-05-29T17:00:00
Updated: 2018-01-04T19:57:01
Reserved: 2017-05-22T00:00:00
Link: CVE-2017-9148
JSON object: View
NVD Information
Status : Modified
Published: 2017-05-29T17:29:00.200
Modified: 2018-01-05T02:31:54.480
Link: CVE-2017-9148
JSON object: View
Redhat Information
No data.
CWE